How to reset the Provisioning Repository password for IMPS on Windows?

book

Article ID: 141211

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

This Knowledge doc should be implemented only when there is a mismatch between the password in CA Identity Manager Provisioning Directory (IMPD) and the one in registry and which means the CA Identity Manager Provisioning Server (IMPS) is unable to start without authorizing anonymous access for IMPS/IMPD communication.

In such a case, the Identity Manager Provisioning Server service cannot start up and errors like the ones below appear in the etatrans log

LDAP_INVALID_CREDENTIALS 

Verifying that directory DSA 'impd-main' is available.

ldaps://impd-machine-name:20391. Connecting (busy=0, waiters=0, connecting=1)

ldaps://impd-machine-name:20391. Failed to connect: RC=LDAP_INVALID_CREDENTIALS (0x31) Retry=0

***** STARTUP ERROR [EtaServer] *****: Required directory DSA 'impd-main' is not available.  Shutting down IM Provisioning Server.

***** SHUTDOWN of Identity Manager Provisioning Server initiated *****

 

How do we reset the Provisioning Repository password for IM Provisioning Server running on Windows?

Environment

Release : 14.x

Component : IdentityMinder(Identity Manager)

Resolution

The following are the steps are for Windows deployments of CA Identity Manager Provisioning Components:

Enable anonymous access to the Provisioning Repository, please perform the steps on ALL Provisioning Repository machines

 

1. Go to Windows Services and stop the CA Identity Manager Provisioning Server

2.Open a Windows command prompt (Run As Administrator) 

3.Run the command 

 

dxserver stop all

 

edit $DXHOME/config/settings/impd.dxc, 
For example;

C:\Program Files\CA\Directory\dxserver\config\settings\impd.dxc

change the min-auth setting from:

       set min-auth = clear-password;

to:

       set min-auth = none;

4.edit all the Provisioning Repository DSA's knowledge files in $DXHOME/config/knowledge folder
For example;

C:\Program Files\CA\Directory\dxserver\config\knowledge

        *-impd-co.dxc

        *-impd-inc.dxc    

        *-impd-main.dxc   

        *-impd-notify.dxc 

        *-imps-router.dxc

change the auth-levels setting of each DSA from

        auth-levels   = clear-password

to:

        auth-levels   = anonymous, clear-password

5.start IM Provisioning Repository DSAs (from a Windows command prompt Run As Administrator)

 

dxserver start all


6. Go to Windows Services and stop the CA Identity Manager Provisioning Server

 
Change the userPassword on eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im,dc=etadb entry

1. Use Jxplorer or your preferred ldap browser, connect to the IM Provisioning Repository machine on port 20391 anonymously, and change userPassword value to a new password on  the following 2 entries:

        eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb

        eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=im,dc=etadb

If prompted set password algorithm to "SSHA"


2. Ensure the Jxplorer (or similar LDAP Browser) can connect to the IM Provisioning Repository port 20391 with the new password

 
Adjust registry setting and allow IM Provisioning Server to access the Provisioning Repository anonymously, please perform the steps on ALL the machines hosting the Provisioning Server

1. Delete the following two registry keys 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComputerAssociates\Identity Manager\Provisioning Server\Domains\eta\eTPasswordDB

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComputerAssociates\Identity Manager\Provisioning Server\Domains\im\eTPasswordDB
 
2. Restart the Windows CA Identity Manager Provisioning Server service

3. Review the etatrans log (by default it is located in c:\Program Files(x86)CA\Identity Manager\Provisioning Server\logs) and confirm the following lines presenting

ALERT: Repository password cannot be decrypted; ANONYMOUS access used for repository communication. Use Password Manager to re-establish repository password and check TLS/SSL settings.

...

Verifying that directory DSA 'impd-main' is available.

...

Verifying that directory DSA 'impd-co' is available.

...

Verifying that directory DSA 'impd-inc' is available.

...

Verifying that directory DSA 'impd-notify' is available.


3.confirm the administrative user can logon Provisioning Manager and search the Global Users

 
Use the Password Manager (pwdmgr) utiilty to re-establish repository password.  The utility is located in 

For example;

c:\Program Files (x86)\CA\Identity Manager\Provisioning Server\bin\pwdmgr.exe

Please perform the steps on ALL the machines hosting the Provisioning Server


1. Run the Password Manager (pwdmgr) utiilty

2. Re-establish repository password for accessing eta and im domains, for example

______________________________________

Administrator ID: etaadmin

Password for administrator:

Component: Provisioning Directory

Domain: eta

New Password: <new-password>

Confirm Password: <new-password>

Password locked down to the following host configuration

Password host: <impd-machine-name>

Password port: 20391

Password tls port: 20391

Successfully set password

WARNING: You must re-start your Provisioning Server for it to continue to work correctly

______________________________________ 

Administrator ID: etaadmin

Password for administrator:

Component: Provisioning Directory

Domain (enter "eta" for the top-level domain): im

New Password: <new-password>

Confirm Password: <new-password>

Password locked down to the following host configuration

Password host: <impd-machine-name>

Password port: 20391

Password tls port: 20391

Successfully set password

WARNING: You must re-start your Provisioning Server for it to continue to work correctly

______________________________________
 
Disable anonymous access to the Provisioning Repository, please perform the steps on ALL Provisioning Repository machines

1. Go to Windows Services and stop the CA Identity Manager Provisioning Server

2.Open a Windows command prompt (Run As Administrator) 

3.Run the command 

dxserver stop all

edit $DXHOME/config/settings/impd.dxc, 

For example;

C:\Program Files\CA\Directory\dxserver\config\settings\impd.dxc

       set min-auth = none;

to:

       set min-auth = clear-password;

3.edit all the Provisioning Repository DSA's knowledge files in $DXHOME/config/knowledge folder:

        *-impd-co.dxc

        *-impd-inc.dxc    

        *-impd-main.dxc   

        *-impd-notify.dxc 

        *-imps-router.dxc

change the auth-levels setting of each DSA from

        auth-levels   = anonymous, clear-password

to:

        auth-levels   = clear-password

4.re-load the configurations

 
dxserver init all


Restart IM Provisioning Server to verify the change.


1.stop the IM Provisioning Server

2.start the IM Provisioning Server

3.review the etatrans log and confirm there is no LDAP_INVALID_CREDENTIALS errors any more

4.confirm the administrative user can logon Provisioning Manager and search the Global Users

Additional Information

Also please refer to the associated Knowledge Article - How to reset the Provisioning Repository password for IMPS on Linux?

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=11377